I ran into a problem after creating a screensaver that requires writing to a file located in Program Files. When the screensaver becomes active it can successfully read a file from there but fails to write to a file.
I noticed that when I use and elevated command prompt to run the screensaver, with /s, the screensaver successfully writes the file. So I assumed this was a permission problem.
To see if it was a permission problem I went in and changed Program Files and the subfolders permissions so that anyone and system could read and write, but it still didn't help.
Any idea what I should do? Is there a way to force a screensaver to run as admin? Or did I miss some important permissions?
You can't get the system to start screensavers with elevated rights. If that were possible then it would be a truly bone-headed security and design flaw. Screensavers should simply not be writing to Program Files or other restricted areas. You will have to find a different location to write this file.
Related
I have a case where my users runs a script (bat) file that I wrote on win7 as admin. Im looking for a simple way (without installing any tools) to make a different script that I wrote run on windows start up through this batch file.
I tried using startup folder but that will run my script without admin rights. I also read about a solution with runas command but it didnt work and also its problematic to know the user details in advanced. I looked online but couldnt find anything to help me to do this automatically through the command line
UPDATE
By looking at the answers im thinking maybe the situation is not clear enough.
Im writing this script on my pc. I give this script (batch file) to my clients, who lack any knowledge of how to do anything but simple stuffs, such as openning cmd as admin and running my batch file that I write in advance. To sum up, I need this batch to be able to set a process (a different batch or vbs file) to run with admin privelleges on startup of the pc (again, without requiring my clients to do any complicated actions, im hoping to get my script to do everything for them)
If you do not have the credentials for the administrator account, you will not be able to run the script with elevated privilege. If you do have those credentials, then you can set up a scheduled task (described at this SevenForums post), running it under the administrator account.
Check the script carefully, and ensure that it's not incorporating anything that may cause problems, like an unavoidable GUI presentation - this question on ServerFault discusses that pitfall.
Make a shortcut to your batch, set its properties>advanced to run as administrator and then move the shortcut to the startup directory.
So I have made a program which copies some files from System32 on 32 bit machine while SYSWOW64 on 64 bit machine to another destination after the User accepts it. I have added an administrator manifest in it so it asks for admin privileges before starting. Is that necessary? I don't want to cook the Users brain by asking him every time for admin privileges. So does copying something from the above two locations need admin privileges?
Regards,
Reading files does not require admin permission, though writing does.
There are a number of implications of this:
If you install Apache, you can read the httpd.conf with notepad but saving fails unless you disable UAC.
You can copy a file from a system directory, but you cannot save a file to a system directory without asking via UAC.
BTW this is one of my biggest issues with UAC -- it means that things behave strangely and that writes can fail after you have already made changes, which can be very annoying if you come from a UNIX background and expect it to work something like sudo....
I've written a Win32 program that at regular intervals retrieves content from a dedicated server on the internet.
Sometimes the Win32 program itself needs to be updated. What I do is exit the said program and run a download-program which replaces the main exe I need to uopdate. This works for users running in Administrator mode but not other mode that has sufficent rights for most tasks. The program runs on it own directory which is not under "c:\Windows\program files\".
I've set a manifest file to no avail.
Is there a workable workaround solution for this (any)?
For security reasons you cannot place files in Program Files without admin rights. If you would be able to this you could in theory change Windows files and place malware as well.
Same goes for Linux and OSX systems.
However you could prompt the user for an Administrator password and gain the admin rights in that way.
You need your updater program to have admin rights. You achieve that by adding the requireAdministrator option in the requestedExecutionLevel section of the application manifest. You said that you have tried this to no avail. Well, you must have got something wrong because this is the solution. You just need to persevere until you get the manifest correct.
I presume that when you say that the [program is not under the Program Files directory you refer to the updater. If the program being updated is not under the Program Files directory then there would seem to be no obvious reason that the updater needs admin rights. If that is so then you need to investigate further.
We've got a VB6 application that reads a simple text file with a .LIC file extension. When everything is working correctly, if the file exists in the same directory as the executable, it reads it. If not, it does other stuff.
I've got a customer with Windows 7 machines, and if he right-clicks the EXE and "Runs as Administrator" it "sees" the LIC file. If he runs the EXE as a basic user, the LIC file cannot be seen.
I've had enough issues with UAC to guess that UAC is running the application from a virtual directory of some sort and that's why the LIC file isn't seen. My customer swears he's turned UAC off.
Anyone have any pointers for me? It would be great if there was a way to tell UAC "let this app do what it wants in this directory". That's out of my expertise. I've been Googling till my fingers fall off, and I can't find the right answer.
Thanks!
If you think virtualization is happening (which would cause it to look somewhere other than Program Files), give him a manifest file called foo.exe.manifest where foo is your executable name and have him put it in the same folder as the exe and the .lic file. This manifest should set the required execution level to asInvoker. This will suppress virtualization and so you can rule that out as part of the problem. He may then get access denied errors but that will help you sort out the problem.
It could also be permissions? If the user is not logged on as administrator, then your program may not have permissions to read the ".lic" file. Have you checked whether the user can open it in Notepad? Is it possible your code might be trying to open it with read/write permissions, which is even more likely to fail?
You may need to change your install so that it lowers the permissions on your apps installation directory.
This is a strange one to me. Let me list the setup:
Application with a manifest (ie: wont get pushed to virtual store)
UAC is turned on (can't write to other program files directories, or other areas, and uac prompt appears)
Can write to "c:\program files\%app_name%\%directory%\" both from within my application (not run as admin) as well as a non admin command prompt
Can not write to "c:\program files\%app_name%\%directory%\%subdirectory%\".
Any ideas? Are there hidden permissions or registry settings somewhere? Could it be that this directory was created when UAC was off, so now its fair game? Could it be that this directory was created in a time of XP, and its fair game?
It makes sense to me why i can't write to the other program files directories and the subdirectory. However I have no idea why i am actually allowed to write to the %directory%?
Side note: If I move the %directory% to another area (appdata), I still can not write to the subdirectory (confused).
Let me know any ideas you may have or anything I can check.
Thanks
EDIT: Arr, sorry, I skimmed your post a little too fast, looks like this is a non-issue!
Have you looked where the written files are actually going?
Vista has a feature where files written into Program Files folders by applications get redirected to a local per user store. This store is located at %userprofile%\AppData\Local\VirtualStore
This is to allow legacy applications which wrote per user settings to Program Files to still operate correctly, also allowing multiple users to use the program without conflict.
There's a button in explorer called 'Compatibility Files' which will take you to this user store.. perhaps your writes are ending up there?
I'm not sure why you cant write to the subdirectory though. Security permissions?